TechBeat: Information security – perception and risk
Time after time, studies have shown that we often do not perform very well when assessing risk. We tend to be overly optimistic in many respects, thinking the worst may not happen and even if it does, not to us.
Information security is all about correctly identifying and managing risk, which if incorrectly done, could leave an organisation exposed to all kinds of trouble, not least of which may be unfavourable exposure in the media.
TechPro, in association with DataSolutions, polled 171 Irish IT professionals to gauge the perception of risk, sources of concern and responsibility when it comes to information security. The results are illuminating and show that there can be a worrying disparity between what the security professionals are telling us and what users perceive.
Respondents came from a range of organisation size, with more than a third (38%) coming from larger organisations in the 500-1000+ range, less than a third (30%) from small organisations of 50 or less, and the rest from medium size organisations.
The sector break down saw more than a third (34%) of respondents from technology and the IT industry, followed by 15% in government, 12% in finance and 10% manufacturing. In the other category there was a mix of education, transport and not-for-profit and NGO, comprising 19%. Legal, media and healthcare made up the rest.
The survey started big, asking which department caused the most concern when it came to information security risk.
Sales and operations came out on top, with 22% and 20% respectively, but perhaps surprisingly, the IT department came in at 19%. Some way behind them came marketing at 11%, finance at 9%, and HR with 8%. There were some significant mentions in the other category, with a few respondents indicating that all users in their organisations presented equal risk.
When asked for the primary concern around this department, the leader by some margin was a lack of IT security knowledge among personnel at more than a third (36%). This was followed by the use of personal devices and applications (18%), downloading malicious files and clicking on unsafe links (15%) and the use of social media and public cloud services at 14%. Perhaps reassuringly, the lack of effective tools and technology was specified by only 7%. Malicious current or former employees was cited as a primary concern by only 6%. A positive metric was that only 4% of respondents thought that the reason for their concern as a lack of IT security information provided by company.
“Clearly, it’s proving to be a big challenge for companies to get the message through to the user and the disparity between the results of the information being provided and a lack of knowledge among the user population is an issue,” said David Keating, sales manager, Data Solutions.
Keating said that this might be down to the fact that people are so busy, with workers concerned about the need to get their jobs done and to meet targets, as well as the need to work smarter and faster.
“Companies need to get the message across that people need to work more securely also,” said Keating.
Getting the message across as to the nature of risk is a critical factor and respondents were asked about the average user’s understanding of information security risk.
Respondents were asked to rate the average IT user in the organisation for their understanding of information security risk. The net positive indicator (those who agreed or strongly agreed) was some 58% for users being well briefed, with the net positive for those deemed to know enough at 50%, while the net positive for users fully understanding risk was 43%. This is somewhat at odds with the results from the first question about the riskiest department, where many said all users were a risk.
“It all comes down to education,” said Keating. “The more education the user has about information security threats, the better. The IT department can put measures in place, but at some point the user needs to accept a certain amount of responsibility.”
Again, responsibility is a key issue here, both real and perceived.